On Wed, Sep 2, 2009 at 11:15 AM, Ken Wachtler <[email protected]> wrote:
> > Billford, > Non-authoritive reply based on my memory from 1 1/2 months ago ... > > I struggled with this also for several days, and found that clearing the > syscheck database then running a fresh syscheck was the only thing that > picked up the new file. Obviously, this was not a good solution, but had to > move on. Also, I was not able to get syscheck debug mode to kick in. > > Some ideas for you ... > 1. Manually kick off a syscheck, then truss/strace the ossec-syscheckd > process, to see if the new file is opened. > 2. While syschecking, truss/strace ossec-analysisd process on the server to > see if the new file gets analyzed. > 3. See if the new file gets entered into the syscheck database (text file) > on the server. > > Thanks Ken. I've tried all that already to no avail. It NEVER sees a new file, neither for an alert or in the db. I'm really stuck on it but I've worked out all the other issues with this particular implementation so that's gotta be good for something. :-) Bill
